Re: [OpenAFS] ADS and MIT Kerberos transition auth continued

Wed, 01 Jul 2009 09:29:07 -0700 




On Jul 1, 2009, at 12:17, Eric Chris Garrison <[email protected]>  
wrote:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


From: Andrew Deason <[email protected]>

I've added an afs service principal from each of two realms to the

KeyFile using asetkey.   I've added both realms in /etc/krb.conf,  
the

first two lines of the file being the two realms.


You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
/etc/openafs/server/krb.conf.


Thanks, that did help, I've gotten further now.

What I'm seeing now though, is that although used asetkey to add the

service principal from the ADS realm to my test cell, permissions  
aren't

working as I'd expect.


So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU.  Both in the  
KeyFile and

in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.


which is in ThisCell? is the same first in krb.conf?

do you have an afs key from each in KeyFile? are the kvnos different?


On a client machine, I can kinit as the original, as
[email protected] and can get permissions as expected to OpenAFS
directories with ACLs granted to OpenAFS user ecgarris.

I would expect on a multi-realm cell, that I could come in as
[email protected] and have the same permissions as
[email protected], but I don't, I get permission denied.  If I

create a file in an anyuser-writable directory, the UNIX permissions  
show
it as owned by ecgarris, but I still get Permission Denied when I  
try to

access directories owned by OpenAFS ecgarris.

If I make the ONLY realm ADS.IU.EDU I have the same problem as well.


Does this mean if we switch domains, all existing users will need  
extra

ACLs inserted to accommodate the new domain?


No


Is there a better answer?


Probably

Am I just missing something simple?


Maybe


Thanks!

Chris
- --
Eric Chris Garrison             | Principal Mass Storage Specialist

[email protected]              | Indiana University - Research  
Storage

W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKS4wHG2WsK8XoJWURAj7iAJ93SBiiIfWe46WE0DQtmMll55ZzLwCdEJab
Xf+/tniHRRZ9sUtIfDQZ3wo=
=LASt
-----END PGP SIGNATURE-----
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to